Scanning Phase This phase includes the usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Hackers are now probably seeking any information that can help them perpetrate attacks such as computer names, IP addresses, and user accounts. Now that the hacker has some basic information, the hacker now moves to the next phase and begins to test the network for other avenues of attacks. The hacker decides to use a couple of methods for this end to help map the network. The hacker looks for an automated email if possible or based on the information gathered he may decide to email HR with an inquiry about a job posting. Scanning can be considered a logical extension (and overlap) of active reconnaissance that helps attackers identify specific vulnerabilities. It's often that attackers use automated tools such as network scanners and war dialers to locate systems and attempt to discover vulnerabilities. An attacker follows a particular sequence of steps in order to scan a network. The scanning methods may differ based on the attack objectives, which are set up before the attackers actually begin this process. Scanning is a set of procedures for identifying live hosts, ports, and services, discovering Operating system and architecture of target system, Identifying vulnerabilities and threats in the network. Network scanning is used to create a profile of the target organization. Scanning refers to collecting more information using complex and aggressive reconnaissance techniques. hackers are probably seeking any information that can help them perpetrate attack such as computer names, IP addresses, and user accounts. In fact, hacker identifies a quick way to gain access to the network and look for information. This phase includes usage of tools like dialers, port scanners, network mappers, sweepers, and vulnerability scanners to scan data. Basically, at this stage, four types of scans are used: Pre-attack: Hacker scans the network for specific information based on the information gathered during reconnaissance. Port scanning/sniffing: This method includes the use of dialers, port scanners, and other data-gathering equipment. Vulnerability Scanning: Scanning the target for weaknesses/vulnerabilities. Information extraction: In this step, hacker collects information about ports, live machines and OS details, topology of network, routers, firewalls, and servers. How Scanning Tools Help Hackers The most commonly used tools are vulnerability scanners that can search for several known vulnerabilities on a target network and potentially detect thousands of vulnerabilities. This gives attackers the advantage of time because they only have to find a single means of entry while the systems’ professional has to secure many vulnerable areas by applying patches. Organizations that deploy intrusion detection systems still have reason to worry because attackers can use evasion techniques at both the application and network levels. Attackers can gather critical network information, such as the mapping of systems, routers, and firewalls, with simple tools like traceroute, which are computer network diagnostic commands. They can also use tools like Cheops, a network management tool, to add sweeping functionality along with what traceroute renders. Port scanners can be used to detect listening ports to find information about the nature of services running on the target machine. The primary defense technique against port scanners is to shut down unnecessary services. Appropriate filtering may also be adopted as a defense mechanism, but attackers can still use tools to determine filtering rules. Network Scanning: The purpose of each scanning process is given below: Port Scanning – detecting open ports and services running on the target. Network Scanning – IP addresses, Operating system details, Topology details, trusted routers information etc Vulnerability scanning – scanning for known vulnerabilities or weakness in a system Check for Live Systems: Ping scan checks for the live system by sending ICMP echo request packets. If a system is alive, the system responds with ICMP echo reply packet containing details of TTL, packet size etc. Check for Open Ports: Port scanning helps us to find out open ports, services running on them, their versions etc. Nmap is the powerful tool used mainly for this purpose. We have various types of scan: Connect scan: Identifies open ports by establishing a TCP handshake with the target. TCP Connect scan Nmap command: nmap -sT -v -p- Half-open scan Half-open scan otherwise known as Stealth scan used to scan the target in a stealthy way by not completing the TCP handshake by abruptly resetting the communication. Nmap command: nmap -sS -v XMAS scan: This is also called as inverse TCP scanning. This works by sending packets set with PSH, URG, FIN flags. The targets do not respond if the ports are open and send a reset response if ports are closed. FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not respond while closed ports send a reset response. Nmap command: nmap -SF ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's port status is gathered based on window size and TTL value of RESET packets received from the target. Nmap command: nmap -SA -v Null Scan: Works by sending TCP packets with no flags set to the target. Open ports do not respond while closed ports respond with a RESET packet. Nmap Command: nmap -sN -p- Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the network to probe the status details of target ports. Nmap command : nmap -Pn -sI ZombieIp TargetIp Banner Grabbing Banner grabbing is a process of collecting information like operating system details, the name of the service running with its version number etc. Vulnerability scanning: Mainly automated tools are used for this purpose. These automated scanners scan the target to find out vulnerabilities or weakness in the target organization which can be exploited by the attackers. Vulnerabilities include application vulnerabilities, configuration vulnerabilities, network vulnerabilities, operating system vulnerabilities etc. Some examples include operating system is not updated, default passwords used, plain text protocols used, vulnerable protocols running etc. Tools: Nessus, Acunetix Draw Network Diagrams With the information gathered, the attacker can come up with a network diagram which might give him information about network and architecture of the target organization helping him to identify the target easily Tools: Network View, Opmanager etc Prepare Proxies Proxies can use to maintain the anonymity of the attacker by masking the IP address. It can capture information passing through it since it acts as an intermediary between client and server and the attacker can access the resources remotely using the proxies. Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc Countermeasures: Configure IDS and firewall to block probes. Keep firewall, routers, IDS firmware update Run port scanners to verify the security of the target. Add rules in firewall restricting access to ports. Disable ICMP based scanning at firewall. TCP Communication Flag Flag can be said as signals,or connection status, as our real flag which is representing various countries the TCP flag will represent various connection status in a communication, URG- Urgent Flag represents that packet should be processed immediately. FIN- Finish Flag represents that there will be no more transmission. RST-Reset this flag will reset a communication. PSH- PUSH this flag is to make server to send all the buffered data immediately. ACK-Acknowledgement flag states that service is received SYN-Synchronize flag indicates connection between host. TCP /IP communication TCP/ IP transmission Control Protocol / Internet Protocol is communication protocol best to known about the reliability because of the 3 way handshake. Three way handshake In TCP/IP communication when client request for a service this is represented using SYN flag After receiving the SYN flag the server understands the client need a service so the server provides the requested service to the client. While providing the service the server will send SYN+ACK flag to represent that requested service is provided. When the client receives the requested service it will respond the server that it received the requested service through ACK flag This method is called 3 way handshake. TCP / IP is said to be reliable method because of this three way hand shake because each state is been verified using 3 way hand shake, suppose if any of the state is effected by errors, like client haven't received the service the server will resend the requested service once again because if service is not received client will not send ACK so server will understand that service is not reached. TCP Connect / Full Scan FULL OPEN SCAN In TCP Connect / Full open scan the attacker checks the port is open by completing the three way handshake TCP connect scan establish full connection and terminate the connection by RST packet Stealth Scan / Half Open Scan Half Open Scan Stealth scan involves resetting TCP connection before a three way hand shake is completed. After receiving SYN+ACK flag from server attacker send RST flag and terminate the connection. PORT IS OPEN Th attacker send FIN+URG+PUSH flag set. If the target port is open the machine will not respond to this flag set. PORT Closed If the post is closed machine will send a RST flag immediately The 3-way handshake is very important to understand. This is done each time you connect to a website. I looked at it like a phone call between you and I. I call you (Syn), you answer the phone and say hello (Syn + Ack), and I ask how are you doing (ACK). Then RST/FIN tears down the connection. This is important for you to understand because these steps either make you passive or active. If you complete the 3-way handshake then it is an active scan, your ip will be logged on their network logs. If you perform a -sS scan , known as Stealth, you will not complete the 3-way nor will you leave footprints. If the port is closed then a RST will be returned. Not sure if the 3-way exploit still works or not, when you connect to the website you will be assigned a number. Each time you transmit a message to the website your number will increment by one, the webserver will have a different number than yours and it will increment by one each time also. Wire Shark will grab the numbers while it is listening on the web. If you get the number and bump the person offline and implement the proper sequential number, you will assume the person you bumped offlines place. The website will think it is still talking to the person you bumped, many situations this can come in handy. A malicious hacker would perform this attack while your accessing your online bank account, knock you offline and have full access to your bank account and money. There is a 4-way handshake called DragonBlood that deals with WiFi. You can perform a downgrade attack to bypass the encryption. The 4-way protocol calls for HTTPS, but if you log onto the website with HTTP protocol instead of HTTPS the DragonBlood is reverse compatible, it will drop from a HTTPS to a HTTP to communicate with you. Now the DragonBlood is open for all HTTP attacks. Bypassing WiFi security you can use AirCrack-NG and the tools it provides. Turn on AirCrack and use the de-authentication command to jam the wifi signal, then when the wireless devices automatically reconnect you can capture the handshake and crack it to gain access. There is another attack that is similiar, when you boot the people off their connection AirCrack will capture their signal even if they have the SSID turn off, then spoof yourself as any other computer that has access to that network. I have a video of this attack that will be included. Watering Hole Attack was named after watching animals go to the water to get a drink and they get attacked. You can go to the local coffee shop where everyone is having their morning or lunch coffee break. Turn Kali on and use HTTPTrack to clone the coffee shops webpage and address. Next boost your computers power output, listed as Tx, to a higher level then the coffee shops levels are. This will boot everyone off the coffee shops wifi and log in to your cloned website. The computer automatically relogs back in, but since you have a higher power level they will log into your cloned site. Now you can gather the peoples Username and Password. Being that your computer will automatically relog into the website after being booted and exposing your user name and password, you can install a KillSwitch that will prevent this action from happening and becoming the victim. https://restoreprivacy.com/vpn/kill-switch/ https://www.privacyaffairs.com/vpn-killswitch/ Evil Twin Attack is executed when you gain physical access to a company or home and connect your modem and make it look like the original modem. An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there. An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me. The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions. An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable. The most common evil twin attack scenario you may come across in the wild is one with Captive Portals. Many public Wi-Fi networks use web pages that require your login details to connect you to the internet. The goal of this attack is to fool the victim into giving their authentication details for a legitimate Wi-Fi network. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic, and perform other MITM attacks. Let’s delve deeper into what happens at every step of this attack. Step 1: hacker sets up a fake wireless access point A hacker chooses a public place that has many hotspots, such as your local Starbucks or an airport. Such places usually have multiple Wi-Fi access points with the same name. It’s good if you are walking around the building and don’t want to lose your connection, but it also makes the hacker's job much easier when it comes to creating a fake hotspot with the same Wi-Fi name. Now the bad actor can use anything from a network card, tablet, or laptop to a portable router or a Wi-Fi Pineapple (if they need more range) to create a hotspot. It’s pretty easy! Just think about the last time you used your phone as a hotspot to share a connection with your other devices or your friends. That’s exactly what a hacker does; however, they use the same Service Set Identifier (SSID) name, also known as simply the Wi-Fi name, as the legitimate one does. Why does this matter? Because most devices aren’t clever enough to distinguish between a legitimate and a fake access point if they have the same SSID. (Some hackers can go as far as cloning the MAC address of the trusted network.) That’s why it’s called an evil twin! Step 2: hacker creates fake Captive Portal If you’ve ever used public Wi-Fi, you have probably seen a Captive Portal page. They usually either ask for some basic information about you or prompt you to enter Wi-Fi login and password. The problem with Captive Portals is that there’s no standard on how they should look, and they are usually poorly designed. Those who use public Wi-Fi are so used to them being this way that it’s hard to tell the difference between a legitimate page and a fake one. Unfortunately, if you come across the latter, it will send your details straight to the hacker. Hackers might miss this step if they are setting up an evil twin where Wi-Fi network is open and thus doesn’t have a captive portal. If the legitimate Wi-Fi has a password, faking a captive portal helps the hacker to get login details and connect to the network. Step 3: hacker makes victims connect to evil twin Wi-Fi What is an evil twin attack? Now that the hacker has a hotspot and a captive portal, they need to make people ditch the legitimate connection and connect to theirs. This can be done in two ways: They create a stronger Wi-Fi signal by positioning themselves closer to their victims, which will result in nearby devices automatically connecting to the evil twin. They kick everyone off the main network by DDoSing them, or by flooding them with deauthentication packets. The devices connected to the legitimate network will be disconnected, which will lead users back to their Wi-Fi connection page. Now they will see a new network with an identical name, which most likely will state ‘Unsecure’. This will set off alarm bells for security-aware users, but many people will simply brush it off. This method might not work in an office environment, where it would raise suspicion. Step 4: hacker steals login details If the evil twin has a fake captive portal, the user will be directed straight to the login page when they click on the new network. They will be required to enter the same login details they used the first time they connected to a legitimate network. This time round, however, they are sending these details to the hacker. Now that the hacker has them, they can monitor network traffic and what you do online. If you tend to use the same login details for all your accounts, the hacker could also use them in credential stuffing attacks. How to protect yourself Don’t log into any accounts on public Wi-Fi. This way, the hacker will not be able to steal your credentials and use them against you. Avoid connecting to Wi-Fi hotspots that say ‘Unsecure,’ even if it has a familiar name. Use 2-factor-authentication for all your sensitive accounts. This way, even if a hacker gets hold of your login credentials, they will still struggle to get into your accounts. Learn to recognize social engineering attacks, phishing, and spoofed URLs. Only visit HTTPs websites, especially when on open networks. HTTPs websites provide end-to-end encryption, making it difficult or impossible for hackers to see what you do when you visit them. Don’t dismiss your device's notifications, especially if you were kicked off the network and you’re connecting to what you think is a known Wi-Fi network. If your device recognizes it as a new network, don’t ignore it! Don’t autosave Wi-Fi on your device because when it’s not connected to your home or office networks, it will transmit so-called probes. They can give out a lot of information about you, including your home address. Hackers can sniff this information and pretend to be your home network. Use a VPN whenever you connect to a public hotspot. It will encrypt your traffic before it leaves your device, making sure that no one sniffing the traffic can see your browsing behaviors. Password-Based Attacks Password-based access control is the common denominator of most network and operating system security policies. You can, therefore, determine who you are, that is, your user name and your password, your computer and your network access rights. Old systems do not always secure identity information because authentication information is transmitted through the network. This could give an eavesdropper legitimate user access to the network. The intruder has the same privileges as an actual client if he enters a legitimate user account. Therefore, the intruder may also build later access accounts if the client has administrator-leaved privileges. An attacker can do any of the following after accessing your network with a legitimate account. Error! Filename not specified Use lists of the relevant client and network data and device names. Error! Filename not specified Modify database and network configuration, including routing and access controls. Error! Filename not specified Adjust your info, re-route it, or delete it. Man-in-the-Middle Attack As its name suggests, when someone in the center is constantly tracking, capturing and monitors your contact, someone between you and the person with whom you interact. The attacker can, for instance, restart the data exchange. Computers can not determine how they share information on a low level of the network layer While computers are communicating. Man-in – the- middle attacks are just like those who take up your identity to read your text. The other person might assume you are because the intruder may deliberately respond so that you sustain the exchange and obtain more information. His attack can do the same damage as an app layer attack mentioned below in this section. Close-in Attack A Close-in Attack involves someone who attempts to physically enter the elements, data or structures of a network to find out more about a close-in attack consists of ordinary persons entering near physical proximity to networks, systems or facilities to alter or collect information or to reject access. Near physical proximity is achieved by sudden network entry, open access, or both. A popular form of close attack is social engineering in a social engineering attack. Through social interaction, an email message or a telephone, the attacker exploits the network and device. Identity Spoofing The IP address of a device is used to classify a legitimate business by most networks and operating systems. An intruder can also create IP packets from valid addresses in the corporate intranet using specific programs. An attacker can. The hacker may alter, remove, or erase your data after accessing the network using a valid IP address. As defined in the following sections, the attacker may also perform other Types of Attacks. Compromised-Key Attack One key is a secret code or number required for the processing of secure information. While it is possible to obtain a key for an attacker to be a complicated and resource-intensive process. After an attacker gets a password, it is considered a corrupted key. An attacker uses the affected key to gain access to secure communication without the attack being detected by the sender or recipient. The attacker may decrypt or alter the information by using the affected key to generate additional keys to give the attacker access to any other secure communications. Application-Layer Attack An application-layer attack targets database servers, triggering a failure on a server’s operating system or applications deliberately. It helps the intruder to bypass standard access controls. This situation is used by the intruder, who gets control of your application, device or network and can do any of the following: Read your data or add, operating system, delete or change them. Introduce a virus system to copy viruses in your network using your computers and software applications. Introduce a sniffer to evaluate and collect information that can crash or corrupt the network and systems in the end. Passive Attack A Passive Attack tracks unencrypted traffic and scans for code or confidential information for other attack forms. Passive threats include traffic analyzes, insecure contact surveillance, weakly encrypted traffic decryption, and encryption information collecting, for example, passwords. Passive network monitoring allows opponents to see future measures. Passive attacks lead, with no user consent or knowledge, to the disclosure of information or data files to an attacker. Active Attack The Attacker attempts to hack or crack into secure systems in an aggressive attack. It can take place through stealth, worms, viruses or Trojan horses. Aggressive attacks include attempts to circumvent or break safety software, malicious codes, and theft or alteration. Such attacks have been installed on a network backbone, take advantage of the information in transit, join an enclave electronically or target a remote authorized user while attempting to link to an enclave. Active attacks lead to data files, DoS and alteration. Software is exposed and disseminated. Close-in Attack A Close-in Attack means someone who attempts to enter devices, data, or systems in a physical manner to learn about the Close-in Attack consists of individuals who are frequently close to networks, systems, or installations to alter, capture or deny access to information. Near physical closeness is reached by surreptitious open access, network access or both. A Social engineering attack is a common form of attack, where the aggressor jeopardizes the network or process through social interaction with an individual, e-mail or mobile. The person can use various tricks to expose company security information. The information the victim provides to the attacker is most likely to be used to access an unauthorized device or network for subsequent attacks. DoS A DoS Attack renders legitimate users unable to use a network, server or other resources. In one of the three groups. Bandwidth Flooding: The Attacker sends a dilution of packets to the target host — so many packets that the access path to the target is blocked, and legit packets can not enter the server. Vulnerability Attack: This means sending a set of well-constructed messages on the targeted host to a vulnerable program or operating system. If a compromised program or operating system is sent the correct sequence of packages, the service can stop, or the host can crash. Connection Flooding: Many TCP connections on the target host are formed half-open or completely open. With these fake connections, the host can be so enmeshed that it can no longer accept valid connections. Packet Sniffer A passive receiver that records a copy of each flying packet is a packet sniffer. By every passive receiver near the wireless transmitter, it can get a copy of each transmitted packet. Such packages can contain some sensitive information such as social security numbers, passwords, personal messages, and business secrets. Cryptography includes some of the best defences from packet sniffing. Malware Malware is specifically intended for interrupting, damaging or obtaining licensed computer system access. Some of the malware today replicates itself: Once the host becomes infected, it is looking for connections to other hosts via the internet from that host and seeks entry in even more hosts from the newly infected host. Self-replicating malware can propagate exponentially rapidly in this way. Insider Attack Insider Attacks involve someone from inside of the company or system, such as an insecure worker who may be malicious or not malicious by targeting the network for insider attacks. Intentional malicious insiders eavesdrop, steal data or erase it, fraudulently use it or deny access to other users who have been licensed. There are no traditional malicious attacks due to lack of consideration, awareness or intentional security circumvention, for example, executing a mission. Cross-site scripting attack Cross-site scripting attack is a kind of cyber attack in which JavaScript is used to exploit the web application. The web application that is vulnerable to this kind of attack could be detected manually by filling and submitting the text fields and checking if they are running proper checks or just letting the script be run without any sanitization. The severity level of this attack is high enough to get some useful information to the hacker. To fight against this attack, the application must always be developed to check the values submitted by the user instead of processing them. Phishing attack It is a very common kind of attack that falls under the category of social engineering. In this attack, the hacker sends the authenticated user a URL of the webpage that looks exactly the same as the legitimate website and tricks the user into submitting their credentials. The hacker used the credentials to get full access to the system and make their desired changes. Some of the websites have developed the system to protect their system from phishing attacks, but one must have to be very careful before submitting their credentials anywhere. IP Spoofing This method uses a fake source address to insert packets into the Internet and is one way to masquerade them as another user. End-point authentication which guarantees that a message from the location we have decided is certain would help to protect against IP spoofing. Logic Bombs A logic bomb is a malicious program or piece of code that inserted into an operating system or computer network which impacts a malicious function after a certain amount of time. The code can be inserted into the existing software or into other forms of malware such as viruses, worms or Trojan horses etc. Its main purpose is deleting or altering data, reformatting a hard drive and creating other malicious acts on a specified date Rootkit A rootkit is a malicious program that installs and executes code on a system without user consent in order gain system access to a computer or network. It is typically installed through by exploiting system vulnerabilities, social engineering tactics, and stolen password or phishing techniques without the victim’s knowledge. There are different types of Rootkit virus such as Bootkits, Firmware Rootkits, and Kernel-Level Rootkits & Application Rootkits. Buffer Overflow Attacks The most common kind of DoS attack is simply to send more traffic to a network address than the programmer's expectation on size of buffers. A few of the better known attacks based on the buffer characteristics of a program or system include: Sending e-mail messages that have attachments with 256 character file names to Netscape and Microsoft mail programs. Sending over sized Internet Control Message Protocol (ICMP) packets. Ending to a user of an e-mail program a message with a "From" address longer than 256 characters. Smurf Attack In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet specifies that, it is broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic. SYN floods When a computer wants to make a TCP/IP connection to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server is ready, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet. In a SYN flood, the address of the client is often forged so that when the server sends a TCP/SYN-ACK packet back to the client, the message is never received from client because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections. Whale-phishing Attacks A whale-phishing attack is so-named because it goes after the “big fish” or whales of an organization, which typically include those in the C-suite or others in charge of the organization. These individuals are likely to possess information that can be valuable to attackers, such as proprietary information about the business or its operations. If a targeted “whale” downloads ransomware, they are more likely to pay the ransom to prevent news of the successful attack from getting out and damaging their reputation or that of the organization. Whale-phishing attacks can be prevented by taking the same kinds of precautions to avoid phishing attacks, such as carefully examining emails and the attachments and links that come with them, keeping an eye out for suspicious destinations or parameters. Spear-phishing Attacks Spear phishing refers to a specific type of targeted phishing attack. The attacker takes the time to research their intended targets and then write messages the target is likely to find personally relevant. These types of attacks are aptly called “spear” phishing because of the way the attacker hones in on one specific target. The message will seem legitimate, which is why it can be difficult to spot a spear-phishing attack. Often, a spear-phishing attack uses email spoofing, where the information inside the “From” portion of the email is faked, making it look like the email is coming from a different sender. This can be someone the target trusts, like an individual within their social network, a close friend, or a business partner. Attackers may also use website cloning to make the communication seem legitimate. With website cloning, the attacker copies a legitimate website to lull the victim into a sense of comfort. The target, thinking the website is real, then feels comfortable entering their private information. Similar to regular phishing attacks, spear-phishing-attacks can be prevented by carefully checking the details in all fields of an email and making sure users do not click on any link whose destination cannot be verified as legitimate. SQL Injection Attack Structured Query Language (SQL) injection is a common method of taking advantage of websites that depend on databases to serve their users. Clients are computers that get information from servers, and an SQL attack uses an SQL query sent from the client to a database on the server. The command is inserted, or “injected”, into a data plane in place of something else that normally goes there, such as a password or login. The server that holds the database then runs the command and the system is penetrated. If an SQL injection succeeds, several things can happen, including the release of sensitive data or the modification or deletion of important data. Also, an attacker can execute administrator operations like a shutdown command, which can interrupt the function of the database. To shield yourself from an SQL injection attack, take advantage of the least-privileged model. With least-privileged architecture, only those who absolutely need to access key databases are allowed in. Even if a user has power or influence within the organization, they may not be allowed to access specific areas of the network if their job does not depend on it. For example, the CEO can be kept from accessing areas of the network even if they have the right to know what is inside. Applying a least-privileged policy can prevent not just bad actors from accessing sensitive areas but also those who mean well but accidentally leave their login credentials vulnerable to attackers or leave their workstations running while away from their computers. URL Interpretation With URL interpretation, attackers alter and fabricate certain URL addresses and use them to gain access to the target’s personal and professional data. This kind of attack is also referred to as URL poisoning. The name “URL interpretation” comes from the fact that the attacker knows the order in which a web-page’s URL information needs to be entered. The attacker then “interprets” this syntax, using it to figure out how to get into areas they do not have access to. To execute a URL interpretation attack, a hacker may guess URLs they can use to gain administrator privileges to a site or to access the site’s back end to get into a user’s account. Once they get to the page they want, they can manipulate the site itself or gain access to sensitive information about the people who use it. For example, if a hacker attempts to get into the admin section of a site called GetYourKnowledgeOn.com, they may type in http://getyourknowledgeon.com/admin, and this will bring them to an admin login page. In some cases, the admin username and password may be the default "admin" and "admin" or very easy to guess. An attacker may also have already figured out the admin’s password or narrowed it down to a few possibilities. The attacker then tries each one, gains access, and can manipulate, steal, or delete data at will. To prevent URL interpretation attacks from succeeding, use secure authentication methods for any sensitive areas of your site. This may necessitate multi-factor authentication (MFA) or secure passwords consisting of seemingly random characters. DNS Spoofing With Domain Name System (DNS) spoofing, a hacker alters DNS records to send traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter sensitive information that can be used or sold by the hacker. The hacker may also construct a poor-quality site with derogatory or inflammatory content to make a competitor company look bad. In a DNS spoofing attack, the attacker takes advantage of the fact that the user thinks the site they are visiting is legitimate. This gives the attacker the ability to commit crimes in the name of an innocent company, at least from the perspective of the visitor. To prevent DNS spoofing, make sure your DNS servers are kept up-to-date. Attackers aim to exploit vulnerabilities in DNS servers, and the most recent software versions often contain fixes that close known vulnerabilities. Session Hijacking Session hijacking is one of multiple types of MITM attacks. The attacker takes over a session between a client and the server. The computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client. This kind of attack is effective because the server uses the client's IP address to verify its identity. If the attacker's IP address is inserted partway through the session, the server may not suspect a breach because it is already engaged in a trusted connection. To prevent session hijacking, use a VPN to access business-critical servers. This way, all communication is encrypted, and an attacker cannot gain access to the secure tunnel created by the VPN. Brute force attack A brute-force attack gets its name from the “brutish” or simple methodology employed by the attack. The attacker simply tries to guess the login credentials of someone with access to the target system. Once they get it right, they are in. While this may sound time-consuming and difficult, attackers often use bots to crack the credentials. The attacker provides the bot with a list of credentials that they think may give them access to the secure area. The bot then tries each one while the attacker sits back and waits. Once the correct credentials have been entered, the criminal gains access. To prevent brute-force attacks, have lock-out policies in place as part of your authorization security architecture. After a certain number of attempts, the user attempting to enter the credentials gets locked out. This typically involves “freezing” the account so even if someone else tries from a different device with a different IP address, they cannot bypass the lockout. It is also wise to use random passwords without regular words, dates, or sequences of numbers in them. This is effective because, for example, even if an attacker uses software to try to guess a 10-digit password, it will take many years of non-stop attempts to get it right. Web Attacks Web attacks refer to threats that target vulnerabilities in web-based applications. Every time you enter information into a web application, you are initiating a command that generates a response. For example, if you are sending money to someone using an online banking application, the data you enter instructs the application to go into your account, take money out, and send it to someone else’s account. Attackers work within the frameworks of these kinds of requests and use them to their advantage. Some common web attacks include SQL injection and cross-site scripting (XSS), which will be discussed later in this article. Hackers also use cross-site request forgery (CSRF) attacks and parameter tampering. In a CSRF attack, the victim is fooled into performing an action that benefits the attacker. For example, they may click on something that launches a script designed to change the login credentials to access a web application. The hacker, armed with the new login credentials, can then log in as if they are the legitimate user. Parameter tampering involves adjusting the parameters that programmers implement as security measures designed to protect specific operations. The operation’s execution depends on what is entered in the parameter. The attacker simply changes the parameters, and this allows them to bypass the security measures that depended on those parameters. To avoid web attacks, inspect your web applications to check for—and fix—vulnerabilities. One way to patch up vulnerabilities without impacting the performance of the web application is to use anti-CSRF tokens. A token is exchanged between the user’s browser and the web application. Before a command is executed, the token’s validity is checked. If it checks out, the command goes through—if not, it is blocked. You can also use SameSite flags, which only allow requests from the same site to be processed, rendering any site built by the attacker powerless. Drive-by Attacks In a drive-by attack, a hacker embeds malicious code into an insecure website. When a user visits the site, the script is automatically executed on their computer, infecting it. The designation “drive by” comes from the fact that the victim only has to “drive by” the site by visiting it to get infected. There is no need to click on anything on the site or enter any information. To protect against drive-by attacks, users should make sure they are running the most recent software on all their computers, including applications like Adobe Acrobat and Flash, which may be used while browsing the internet. Also, you can use web-filtering software, which can detect if a site is unsafe before a user visits it. Birthday Attack In a birthday attack, an attacker abuses a security feature: hash algorithms, which are used to verify the authenticity of messages. The hash algorithm is a digital signature, and the receiver of the message checks it before accepting the message as authentic. If a hacker can create a hash that is identical to what the sender has appended to their message, the hacker can simply replace the sender’s message with their own. The receiving device will accept it because it has the right hash. The name “birthday attack” refers to the birthday paradox, which is based on the fact that in a room of 23 people, there is more than a 50% chance that two of them have the same birthday. Hence, while people think their birthdays, like hashes, are unique, they are not as unique as many think. To prevent birthday attacks, use longer hashes for verification. With each extra digit added to the hash, the odds of creating a matching one decrease significantly. There is a handfull of Network Attacks, there are alot more you will learn. I will provide you with ISO's to upload into Virtual Machine(VM) or Virtual Box(VB) which ever you choose to use. Then you will gain experience by hacking the vulnerable ISO. In order to gather more data of the network we will dig deeper in to scannig with Nmap. Nmap and the Nmap Script Engine (NSE) can gather a plethora of information from a computer or network. Nmap has a ton of arguements or they migth be called Flags. Im not going to post the full guide, but I will show you my train of thought. There are 65,535 ports on a computer and most of them has a specific purpose and you will examine the ports to find weaknesses in the protocol, they might be old an have vulnerabilities, could be End of Life for some services(EOL) and Nmap will pull this data. There are a bunch of scans to consider, I usually perform a speed scan first to check the common ports. This will return in a matter of minutes to let me know what common ports are open for me to examine further. Then I launch a Stealth Scan that scans all 65,535 ports to see what is open in the experimental ip addresses. When the reports return I launch another scan to dig further in to the services to learn more. This will take a bit of time, so while waiting for the feedback to return, I will scan the directories with an other tool and search for admin logins. I will go deeper into this shortly. nmap [Scan Type(s)] [Options] {target specification} this is nmaps format to perform scans. There are probably 100 plus combinations to achieve what you desire, aslo you can write your own scripts to use for scanning with the NSE. nmap 192.168.1.1 Scan a single IP nmap 192.168.1.1 192.168.2.1 Scan specific IPs nmap 192.168.1.1-254 Scan a range nmap scanme.nmap.org Scan a domain nmap 192.168.1.0/24 Scan using CIDR notation -iL nmap -iL targets.txt Scan targets from a file -iR nmap -iR 100 Scan 100 random hosts --exclude nmap --exclude 192.168.1.1 Exclude listed hosts -sS nmap 192.168.1.1 -sS TCP SYN port scan (Default) -sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege) -sU nmap 192.168.1.1 -sU UDP port scan -sA nmap 192.168.1.1 -sA TCP ACK port scan -sW nmap 192.168.1.1 -sW TCP Window port scan -sM nmap 192.168.1.1 -sM TCP Maimon port scan -sL nmap 192.168.1.1-3 -sL No Scan. List targets only -sn nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only. -Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only. -PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x. Port 80 by default -PA nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x. Port 80 by default -PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x Port 40125 by default -PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network -n nmap 192.168.1.1 -n Never do DNS resolution -p nmap 192.168.1.1 -p 21 Port scan for port x -p nmap 192.168.1.1 -p 21-100 Port range -p nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports -p- nmap 192.168.1.1 -p- Port scan all ports -p nmap 192.168.1.1 -p http,https Port scan from service name -F nmap 192.168.1.1 -F Fast port scan (100 ports) --top-ports nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports -p-65535 nmap 192.168.1.1 -p-65535 Leaving off initial port in range makes the scan start at port 1 -p0- nmap 192.168.1.1 -p0- Leaving off end port in rang makes the scan go through to port 65535 -sV nmap 192.168.1.1 -sV Attempts to determine the version of the service running on port -sV --version-intensity nmap 192.168.1.1 -sV --version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness -sV --version-light nmap 192.168.1.1 -sV --version-light Enable light mode. Lower possibility of correctness. Faster -sV --version-all nmap 192.168.1.1 -sV --version-all Enable intensity level 9. Higher possibility of correctness. Slower -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute -O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting -O --osscan-limit nmap 192.168.1.1 -O --osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host -O --osscan-guess nmap 192.168.1.1 -O --osscan-guess Makes Nmap guess more aggressively -O --max-os-tries nmap 192.168.1.1 -O --max-os-tries 1 Set the maximum number x of OS detection tries against a target -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute -T0 nmap 192.168.1.1 -T0 Paranoid (0) Intrusion Detection System evasion -T1 nmap 192.168.1.1 -T1 Sneaky (1) Intrusion Detection System evasion -T2 nmap 192.168.1.1 -T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources -T3 nmap 192.168.1.1 -T3 Normal (3) which is default speed -T4 nmap 192.168.1.1 -T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network -T5 nmap 192.168.1.1 -T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network --host-timeout